Date: Tue, 26 Jun 2007 17:14:59 -0500 From: Eric F Crist <ecrist@secure-computing.net> To: Bruce A. Mah <bmah@freebsd.org> Cc: freebsd-net@freebsd.org, "Bruce M. Simpson" <bms@freebsd.org> Subject: Re: IPv6 Woes... Message-ID: <B43A4B9D-4CB9-435B-94E9-766647CD8776@secure-computing.net> In-Reply-To: <46818609.3080202@freebsd.org> References: <39D6F9D8-3A2C-4AD7-9FA4-0024E304194A@secure-computing.net> <468011FC.4050308@FreeBSD.org> <7731B558-35C7-4E22-A40D-8BCE208AFD6A@secure-computing.net> <468063F6.2050303@FreeBSD.org> <8AA398FC-A753-4BB8-A93F-224FDDCE41BA@secure-computing.net> <46818609.3080202@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 26, 2007, at 4:32 PMJun 26, 2007, Bruce A. Mah wrote: > If memory serves me right, Eric F Crist wrote: >> Hi Eric-- > > First note that I'm a different Bruce than the chap who's been helping > thus far. :-) > > BTW, use "ndp -a" to see this. > Your setup is not *too* different from what I have at home in terms of > network topology and what you hope to accomplish. (I have a Soekris > net4801 run 6.2-STABLE and acting as a filtering bridge between an > IPv4 > /29 and the rest of the Internet, and also terminating a gif(4) tunnel > for IPv6.) > >> This is so that I don't have to do routing on my firewall. I have a >> IPv4 /28 network, so a limited number of IP addresses, this saves one >> of those. This system is filtering traffic with PF. That's really >> the only reason for the bridging. Also, it does allow me to do >> traffic shaping and bandwidth monitoring. This bridging stuff >> really, as you said, has nothing to do with my IPv6 configuration >> issues. > > I think the biggest difference between your network and mine is that > rather than using options BRIDGE I'm using the if_bridge(4) driver > between my "inside" and "outside" network interfaces. The physical > interfaces in the bridge are unnumbered and the if_bridge > pseudo_interface has IPv4 and IPv6 addresses. > > The main reason for doing this is that I've seen that bridge(4) can > have > difficulty determining the correct physical interface to use for > packets > that originate on the bridging host. I recall having this problem > with > pfnat. (I don't remember the exact details, but I did some > postings to > the m0n0wall mailing lists on this topic some time ago...your favorite > search engine can probably help find these messages.) > > I wonder if the problem I've seen with bridge(4) might be related to > your IPv6 problems (since you're terminating the tunnel on your > firewall). If so, maybe switching to if_bridge(4) as I've described > above might help things. > > In any case, good luck! Bruce! Thanks for all the help! That did the trick! Only one more thing that's holding me up. On my gateway, I've got 2001:4980:1:111::145/64 as the primary IP address. In addition, I've got 2001:4980:1:111::1/128 as an alias. I can ping/connect to the xxx:145 address, but not the xxx:1 address. What did I configure wrong? Here's the output of netstat - r -f inet6: Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Netif Expire :: localhost.secure-computing.net UGRS 0 0 16384 lo0 => default 2001:4980:1::5 UGS 0 0 1280 gif0 localhost.secure-computing.net localhost.secure-computing.net UHL 5 0 16384 lo0 ::ffff:0.0.0.0 localhost.secure-computing.net UGRS 0 0 16384 lo0 2001:4980:1::4 link#7 UC 0 0 1280 gif0 2001:4980:1::5 link#7 UHLW 2 4 1280 gif0 2001:4980:1::6 link#7 UHL 1 4 1280 lo0 2001:4980:1:111:: link#1 UC 0 1 1500 fxp0 2001:4980:1:111::1 00:06:5b:05:30:19 UHL 1 4 1500 lo0 2001:4980:1:111::145 00:06:5b:05:30:19 UHL 2 4 1500 lo0 2001:4980:1:111::147 00:06:5b:38:2e:82 UHLW 1 14 1500 fxp0 fe80:: localhost.secure-computing.net UGRS 0 0 16384 lo0 fe80::%fxp0 link#1 UC 0 0 1500 fxp0 fe80::206:5bff:fe05:3019%fxp0 00:06:5b:05:30:19 UHL 1 0 1500 lo0 fe80::%fxp1 link#2 UC 0 0 1500 fxp1 fe80::206:5bff:fe05:301a%fxp1 00:06:5b:05:30:1a UHL 1 0 1500 lo0 fe80::%lo0 fe80::1%lo0 U 0 0 16384 lo0 fe80::1%lo0 link#3 UHL 1 0 16384 lo0 fe80::%gif0 link#7 UC 0 0 1280 gif0 fe80::206:5bff:fe05:3019%gif0 link#7 UHL 1 0 1280 lo0 fe80::%tun0 link#8 UC 0 0 1500 tun0 fe80::206:5bff:fe05:3019%tun0 link#8 UHL 1 0 1500 lo0 ff01:1:: link#1 UC 0 0 1500 fxp0 ff01:2:: link#2 UC 0 0 1500 fxp1 ff01:3:: localhost.secure-computing.net UC 0 0 16384 lo0 ff01:7:: link#7 UC 0 0 1280 gif0 ff01:8:: link#8 UC 0 0 1500 tun0 ff02:: localhost.secure-computing.net UGRS 0 0 16384 lo0 ff02::%fxp0 link#1 UC 0 0 1500 fxp0 ff02::%fxp1 link#2 UC 0 0 1500 fxp1 ff02::%lo0 localhost.secure-computing.net UC 0 0 16384 lo0 ff02::%gif0 link#7 UC 0 0 1280 gif0 ff02::%tun0 link#8 UC 0 0 1500 tun0 Thanks for one last piece of advice! ----- Eric F Crist Secure Computing Networks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B43A4B9D-4CB9-435B-94E9-766647CD8776>